WHAT IS CLAIMED IS: 

1 . A system comprising: 

a terminal capable of communicating at least one of within and across at least one 
network, wherein the terminal is included within an organization including a plurality of 
5 terminals, each terminal being at at least one of a plurality of positions within the 
organization; 

a primary certification authority (CA) capable of providing an identity certificate 
to the terminal, wherein the primary CA is capable of issuing an identity certificate to 
each terminal of the organization; 

10 a secondary CA capable of providing at least one role certificate to the terminal 

based upon the at least one position of the terminal within the organization, wherein the 
organization includes a plurality of secondary CA's capable of issuing at least one role 
certificate to respective groups of terminals of the organization based upon the at least 
one position of each of the respective terminals within the organization; and 

15 a server capable of authenticating the terminal based upon the identity certificate 

and the at least one role certificate of the terminal to thereby determine whether to grant 
the terminal access to at least one resource of the server. 

2. A system according to Claim 1, wherein the terminal comprises a terminal 
20 included within an organization comprising a customer base of a cellular service provider 

that includes a plurality of terminals, each terminal being at one of a plurality of positions 
comprising a plurality of service plans offered by the cellular network operator. 

3. A system according to Claim 1, wherein the terminal comprises a terminal 
25 included within an organization comprising a customer base of a cellular service provider 

that includes a plurality of terminals, each terminal being at at least one of a plurality of 
positions comprising a plurality of services offered by the cellular network operator. 

4. A system according to Claim 1, wherein the secondary CA is capable of 
30 providing at least one role certificate each having an associated validity time no greater 

than a validity time of the identity certificate provided by the primary CA. 
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5. A system according to Claim 4, wherein the server is capable of 
authenticating the terminal based upon the validity times of the identity certificate and at 
least one role certificate of the respective terminal. 



6. A system according to Claim 1, wherein the terminal is capable of 
requesting access to at least one resource of a server before the server authenticates the 
terminal, and wherein the server is capable of granting access to the at least one resource 
if the terminal is authenticated. 

10 

7. A method of authenticating a terminal comprising: 

providing a terminal capable of communicating at least one of within and across 
at least one network, wherein the terminal is included within an organization including a 
plurality of terminals, each terminal being at at least one of a plurality of positions within 
15 the organization; 

providing an identity certificate to the terminal from a primary certification 
authority (CA), wherein the primary CA is capable of issuing an identity certificate to 
each terminal of the organization; 

providing at least one role certificate to the terminal from a secondary CA based 
20 upon the at least one position of the terminal within the organization, wherein the 

organization includes a plurality of secondary CA's capable of issuing at least one role 
certificate to respective groups of terminals of the organization based upon the at least 
one position of each of the respective terminals within the organization; and 

authenticating the terminal at a server based upon the identity certificate and the 
25 at least one role certificate of the terminal to thereby determine whether to grant the 
terminal access to at least one resource of the server. 



8. A method according to Claim 7, wherein providing a terminal comprises 
providing a terminal included within an organization comprising a customer base of a 
30 cellular service provider that includes a plurality of terminals, each terminal being at one 
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of a plurality of positions comprising a plurality of service plans offered by the cellular 
network operator. 

9. A method according to Claim 7, wherein providing a terminal comprises 
5 providing a terminal included within an organization comprising a customer base of a 
cellular service provider that includes a plurality of terminals, each terminal being at at 
least one of a plurality of positions comprising a plurality of services offered by the 
cellular network operator. 

10 10. A method according to Claim 7, wherein providing at least one role 

certificate comprises providing at least one role certificate each having an associated 
validity time no greater than a validity time of the identity certificate. 

11. A method according to Claim 10, wherein authenticating the terminal 
15 comprises authenticating the terminal based upon the validity times of the identity 

certificate and at least one role certificate of the respective terminal. 

12. A method according to Claim 7 further comprising: 

requesting, fi"om the terminal, access to at least one resource of a server before 
20 authenticating the terminal; and 

granting access to the at least one resource if the terminal is authenticated. 

13. A terminal included within an organization including a plurality of 
terminals, each terminal being at at least one of a plurality of positions within the 

25 organization, the terminal comprising: 

a controller capable of communicating at least one of within and across at least 
one network, wherein the controller is capable of obtaining an identity certificate fi^om a 
primary certification authority (CA) capable of issuing an identity certificate to each 
terminal of the organization, wherein the controller is also capable of obtaining at least 

30 one role certificate from a secondary CA based upon the at least one position of the 
terminal within the organization, wherein the organization includes a plurality of 
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secondary CA's capable of issuing at least one role certificate to respective groups of 
terminals of the organization based upon the at least one position of each of the 
respective terminals within the organization; and 

a memory capable of storing the identity certificate and at least one role 
5 certificate, 

wherein the controller is also capable of communicating with a server such that 
the server is capable of authenticating the terminal based upon the identity certificate and 
the at least one role certificate of the terminal to thereby determine whether to grant the 
terminal access to at least one resource of the server. 

10 

14. A terminal according to Claim 13, wherein the controller is capable of 
obtaining an identity certificate firom a primary CA capable of issuing an identity 
certificate to each terminal of the organization comprising a customer base of a cellular 
service provider that includes a plurality of terminals, each terminal being at one of a 

15 plurality of positions comprising a plurality of service plans offered by the cellular 
network operator. 

15. A terminal according to Claim 13, wherein the controller is capable of 
obtaining an identity certificate fi-om a primary CA capable of issuing an identity 

20 certificate to each terminal of the organization comprising a customer base of a cellular 
service provider that includes a plurality of terminals, each terminal being at at least one 
of a plurality of positions comprising a pluraUty of services offered by the cellular 
network operator. 

25 16. A terminal according to Claim 13, wherein the controller is capable of 

obtaining at least one role certificate each having an associated validity time no greater 
than a validity time of the identity certificate obtained by the controller. 

17. A terminal according to Claim 16, wherein the controller is also capable of 
30 communicating with a server such that the server is capable of authenticating the terminal 
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based upon the validity times of the identity certificate and at least one role certificate of 
the respective terminal. 

18. A terminal according to Claim 13, wherein the controller is capable of 
5 requesting access to at least one resource of a server before the server authenticates the 
terminal such that the server is capable of granting access to the at least one resource if 
the terminal is authenticated. 



10 



-28- 



AttyDktNo 042933/272520 



